Kalibios

Privacy Policy

This Privacy Policy governs the processing of personal data and information collected by Kalibios AG, with registered office in Basel, Swiss Innovation Park Basel, Lichtstrasse 35 (hereinafter referred to as "Kalibios" or the "Data Controller"), acting as data controller, for the purposes and in the manner described below, in compliance with the Swiss Federal Act on Data Protection ("FADP") of 2020 and the implementing Ordinance on Data Protection ("Ordinance"), as well as Article 13 of Regulation (EU) 2016/679 (hereinafter the "GDPR") and applicable implementing legislation.

For users located in Switzerland, the processing of personal data is primarily governed by the Swiss Federal Act on Data Protection (FADP) and the Ordinance; for users located in the European Economic Area (EEA), the GDPR also applies, to the extent applicable.

1. Personal Data Collected

Your personal data are provided directly by you when you register for the Kalibios "Aurora" application (the "Application") and/or use the products and services provided by Kalibios through the Application. The personal data collected and processed by Kalibios include:

  • Data you provide upon registration, onboarding, and use of the Application, including:
    • Your identifying data such as name, surname, date of birth, email address, telephone number, preferred language, and location;
    • Data concerning your characteristics, preferences, and conditions. Such data may include, for example, height, weight, age, information related to dietary preferences, presence of allergies or intolerances, health status (such as existing medical conditions), training preferences, stress and sleep conditions;
    • Data related to your use of the Application, including content viewed and session frequency;
    • For the Nutrition service, data relating to the generated meal plan, dish substitutions, and menu scans;
    • For the Fit service, data relating to the generated training plan, exercise substitutions, session frequency, and daily step count;
    • Personal data you may voluntarily provide when interacting with the AI (Aurora chat);
  • Billing data such as address and, where required, tax identification number;
  • Any personal data you provide when contacting customer service;
  • Data you provide when visiting or interacting with Kalibios' social media profiles;
  • Data automatically received such as browser type and version, mobile device and unique device identifier, hardware and software characteristics, as well as information collected through cookies.

Some of the data processed (e.g., information relating to health status, existing medical conditions, stress and sleep conditions, allergies/intolerances) is considered personal data deserving special protection under the FADP and will be treated with particular care.

2. Purposes of Processing and Legal Basis

The personal data described in Section 1 is processed by Kalibios for the following purposes:

  • managing the registration to the Application, providing the related products, services, and functionalities, and supporting customer service requests;
  • handling subscription payments to the Application and related invoicing;
  • profiling activities to personalize Nutrition and Fit plans and Application content, based on data provided by the user to assess preferences and needs, including health and lifestyle aspects; where the profiling poses a high risk to personality or fundamental rights, explicit consent will be requested, and additional protective measures adopted;
  • advancing scientific research and improving services by Kalibios and its service providers, using anonymized data;
  • performing statistical analyses on anonymized data;
  • sending periodic updates on Kalibios' activities and commercial and promotional communications regarding discounts, offers, services, or events, through email, SMS, and/or WhatsApp;
  • possibly receiving commercial and promotional communications by telephone calls operated by an agent;
  • using and, if necessary, communicating personal data in anonymized or pseudonymized form to third parties, research entities, or scientific partners for scientific research, studies, statistical analyses, and model development.

Processing is based on the execution of a contract and, where applicable, your prior consent, according to the principles of lawfulness, good faith, proportionality, and purpose limitation under the FADP:

  • execution of a contract for purposes under (a), (b), and (c), lawful under Article 6(1)(b) of the GDPR;
  • your prior consent for purposes under (f), (g), and (h), which can be revoked at any time without affecting the lawfulness of processing done before withdrawal.

Consent given for (f) also includes marketing and sales communications sent via email, SMS, and WhatsApp.

You may revoke consent entirely or partially for specific communication channels at any time through the Application or by contacting Kalibios at privacy@kalibios.com.

Anonymous data processing for purposes (d) and (e) does not require your consent.

Provision of data is optional; however, refusal to provide essential data for registration, paid services, invoicing, customer support, profiling, and payments will result in inability to use part or all of Kalibios' services. Objection or withdrawal of consent for contract-based purposes will lead to suspension of related services.

Refusal of consent for updates and promotional communications will not affect other services but will limit receipt of marketing content.

3. Methods of Personal Data Processing

The processing of your personal data for the purposes described in Section 2 shall be carried out using paper-based, automated, and electronic means, according to logical criteria functional to the purposes for which the data were collected and always observing all necessary precautions to guarantee the security and confidentiality of information, in compliance with the FADP and the GDPR.

Kalibios adopts appropriate technical and organizational measures to protect personal data from unauthorized access, loss, misuse, or alteration. When processing involves health-related data and profiling, and constitutes a high risk to the personality or fundamental rights of users, Kalibios performs a data protection impact assessment (DPIA) in accordance with the FADP.

4. Disclosure of Personal Data

Within the Data Controller's organization, your personal data may be processed only by employees who require access to such data exclusively for the performance of their duties and for the provision of services. Such employees are formally appointed as data processors by Kalibios and trained on the obligations established by the GDPR.

In carrying out its activities, Kalibios may disclose your personal data to third parties, including partners and service providers acting on behalf of Kalibios, payment management companies, mailing companies, Data Controller's consultants, and call centers. These third parties are appointed by Kalibios as data processors for the purposes of managing registration and payments, delivering the related services, or for additional purposes to which you have given consent, and are contractually bound to comply with the FADP and, where applicable, the GDPR. A complete list of data processors appointed by Kalibios can be easily and freely accessed upon request sent to the contact details provided in Section 8 of this Privacy Notice.

Kalibios may also disclose your data to judicial authorities or other authorities to respond to subpoenas, comply with court orders or legitimate requests from competent authorities; to assert or defend our rights in court; for investigative, crime prevention, or crime fighting purposes; and in any other cases provided by law.

Furthermore, Kalibios may disclose only anonymous data collected through cookies to its clients, commercial partners, and cooperating companies. Except as stated herein, your personal data will not be disclosed to other third parties nor otherwise disseminated.

5. Retention of Personal Data

Your personal data will be stored on cloud servers provided to Kalibios, generally located in Switzerland and/or the European Union, except for data of clients in other jurisdictions (e.g., Malaysia) which may be stored and processed in those jurisdictions.

If personal data are disclosed or made accessible to recipients located outside Switzerland or the European Economic Area, Kalibios guarantees an adequate level of data protection in accordance with Articles 16 and 17 of the FADP, for example, through adequacy decisions by the Swiss Federal Council or by means of standard contractual clauses approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC). Upon request, users can obtain information about third countries involved and the safeguards adopted.

Personal data collected for the processing purposes indicated in Section 2, letters a), b), and c) will be retained for the duration of your registration on the Application. Subsequently, personal data will be retained for no longer than the statute of limitations period provided by law for possibly asserting or defending a right in court against you or third parties.

Data collected for the processing purposes indicated in Section 2, letters f), g), and h) will be retained until you withdraw consent to receive commercial and promotional communications or data transfer, or you request data deletion, except for the exceptional necessity to retain data to defend the Controller's rights in relation to disputes pending at the time of the request, or as indicated by public authorities.

6. Your Rights

Pursuant to Articles 15 to 21 of the GDPR, you have the right to:

  • obtain information regarding the purposes for which your personal data is processed, the duration of processing, and the recipients to whom your data is disclosed (the right of access);
  • obtain correction or completion of inaccurate personal data concerning you (the right to rectification);
  • obtain the deletion of personal data concerning you in the following cases: (i) the data is no longer necessary for the purposes for which it was collected or processed; (ii) you have withdrawn your consent where the data is processed on the basis of such consent; (iii) you have objected to the processing of your personal data where processed for Kalibios' legitimate interests; or (iv) the processing of your personal data is unlawful. However, please note that Kalibios' retention of personal data is lawful if necessary to comply with a legal obligation or to establish, exercise, or defend a legal claim (the right to erasure);
  • obtain restriction of processing where: (i) you contest the accuracy of personal data for the period necessary to allow Kalibios to verify the accuracy of such data; (ii) the processing is unlawful but you oppose deletion; (iii) the personal data is required by you for the establishment, exercise, or defense of legal claims; (iv) you have objected to the processing and verification is pending concerning whether Kalibios' legitimate grounds prevail over yours (the right to restriction);
  • obtain cessation of processing where your personal data is processed based on Kalibios' legitimate interests and you contest the existence of such interest (the right to object);
  • obtain, within the limits permitted by law, the deletion or anonymization of personal data concerning you where it is no longer necessary for the purposes for which it was collected or processed (the right to anonymization);
  • receive your personal data processed by automated means, in a commonly used, machine-readable, and interoperable format if processed on the basis of a contract or your consent (the right to data portability).

For users in Switzerland, these rights are exercised within the limits defined by the Swiss Federal Act on Data Protection (FADP) and its implementing provisions.

To exercise your rights under this Section 6, you may send a request to the Data Controller via email to privacy@kalibios.com or by registered mail to Kalibios' registered office as indicated in Section 8 below.

You also have the right to lodge a complaint with the competent supervisory authority to enforce your rights regarding the processing of your personal data. Users in Switzerland may address complaints to the Swiss Federal Data Protection and Information Commissioner (FDPIC).

7. Cookies

Kalibios uses technical and analytical cookies to collect and access information stored on your device. For more information, please visit Kalibios' Cookie Policy.

8. Data Controller

The Data Controller is Kalibios AG, with registered office located at Swiss Innovation Park Basel, Lichtstrasse 35, Basel, Switzerland.

For requests or reports, the Data Controller can be contacted at the following email address: privacy@kalibios.com.